Thursday 16 July 2020 | Christopher Knight KC

Share

The transfer of personal data out
of the European Union is subject to a detailed regulatory regime in Regulation
2016/679 (“the GDPR”), and may be permitted on a number of different
bases. The most straightforward basis is where the European Commission has made
a finding of adequacy under Article 45. In the absence of such a finding,
transfers may be made on the basis of appropriate safeguards, including
standard data protection clauses drafted by the Commission and adopted as a
binding contract between the data exporter (in the EU) and the data importer
(in the third country): Article 46(3)(c).

In Case C-311/18 Data Protection Commissioner v
Facebook Ireland Ltd & Schrems
(judgment of 16 July 2020), the
CJEU considered the validity under the GDPR and the Charter of the standard
data protection clauses and the Privacy Shield adequacy decision adopted in
respect of the United States of America.

The CJEU struck down the Privacy
Shield decision, holding that US law failed to limit the potential access to
transferred data of its national security agencies through their surveillance
programmes to what was strictly necessary and proportionate. Data subjects
were not provided sufficient rights to take action against the US Government in
US courts, and the Ombudsperson mechanism created for the Privacy Shield was
insufficiently independent and unable to adopt binding decisions. The CJEU
refused to stay the effect of its decision. Transfers of personal data to the
USA on the basis of the Privacy Shield decision are, accordingly, unlawful
under the GDPR.

However, the CJEU upheld the
validity of the standard clauses and gave a detailed defence of their
contractual mechanisms to protect the rights of data subjects, through the
obligations placed on both the exporter and importer of the data. Transfers on
the basis of standard clauses remain valid, and the CJEU accepted that the
generic nature of the clauses could not be invalidated by reference
to concerns about the laws of one particular third State. However, the
CJEU emphasised the responsibility of data exporters to confirm for themselves
that use of the standard clauses would in fact provide an adequate level of
protection for data subjects in the context in which they were used, and
emphasised the obligation on supervisory authorities to suspend or prohibit
transfers under such clauses to third States for which the clauses would not
provide an adequate level of protection.

The Schrems II decision of the CJEU is a major
data protection judgment, and has huge practical importance to all controllers
engaged in any form of international transfers of personal data. It will also
have significant implications for the data protection regime applicable in and
to the United Kingdom following the end of the implementation period.

The judgment can be read here.

Christopher Knight acted for the
UK Government, led by Josh Holmes KC for the written observations and unled at
the hearing.

Related Insights

  1. View News
  2. View Articles
  3. View News
  4. View News
  5. View News
  6. View Insights
  7. View Insights
  8. View News

View more →